diff --git a/ChangeLog b/ChangeLog
index 110e68750..60da292fb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2018-08-29  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Fix handling of `roll' op in old engine.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10080
+
+	* src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_roll>
+	[CFF_CONFIG_OPTION_OLD_ENGINE]: Use modulo for loop count, as
+	documented in the specification.
+
 2018-08-26  Werner Lemberg  <wl@gnu.org>
 
 	* src/truetype/ttobjs.c (tt_size_read_bytecode): Trace CVT values.
diff --git a/src/psaux/cffdecode.c b/src/psaux/cffdecode.c
index 3f4cfd42b..1641ccd71 100644
--- a/src/psaux/cffdecode.c
+++ b/src/psaux/cffdecode.c
@@ -1821,6 +1821,7 @@
 
             if ( idx >= 0 )
             {
+              idx = idx % count;
               while ( idx > 0 )
               {
                 FT_Fixed  tmp = args[count - 1];
@@ -1835,6 +1836,10 @@
             }
             else
             {
+              /* before C99 it is implementation-defined whether    */
+              /* the result of `%' is negative if the first operand */
+              /* is negative                                        */
+              idx = -( ( -idx ) % count );
               while ( idx < 0 )
               {
                 FT_Fixed  tmp = args[0];
diff --git a/src/psaux/psstack.c b/src/psaux/psstack.c
index d49cf25b6..665906800 100644
--- a/src/psaux/psstack.c
+++ b/src/psaux/psstack.c
@@ -258,6 +258,9 @@
       return;
     }
 
+    /* before C99 it is implementation-defined whether    */
+    /* the result of `%' is negative if the first operand */
+    /* is negative                                        */
     if ( shift < 0 )
       shift = -( ( -shift ) % count );
     else